<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I have compiled 3.6rc1 without FIPSCHECK, whatever that is and I am
struggling with a conn.<br>
<br>
Because of bug 86 I use a conn like:<br>
<font face="Cordia New"><small><small><font face="Courier New"><big>conn
MumIn<br>
type=tunnel<br>
authby=secret<br>
dpdtimeout=120<br>
dpddelay=30<br>
auto=add<br>
#left=%defaultroute<br>
#leftnexthop=%defaultroute<br>
#left=howitts.poweredbyclear.com<br>
left=82.19.147.85<br>
leftsourceip=172.17.2.1<br>
leftsubnet=172.17.2.0/24<br>
leftid=@Nick<br>
right=damim.dtdns.net<br>
rightsubnet=192.168.10.0/24<br>
salifetime=24h<br>
dpdaction=clear<br>
ikelifetime=24h<br>
ike=aes256-sha1;modp2048<br>
phase2alg=aes256<br>
rekey=no</big></font></small></small><br>
</font><br>
My understanding of bug 86 is that the workround when setting
left=%defaultroute is to also set leftnexthop=%defaultroute, but
with 3.6rc1 I jest get a repeating:<br>
<br>
<small><font face="Courier New">Sep 21 12:14:49 server pluto[20435]:
packet from 82.30.103.217:500: initial Main Mode message
received on 82.19.147.85:500 but no connection has been
authorized with policy=PSK</font></small><br>
<br>
With 3.5 it is different but also non-working:<br>
<br>
<small><font face="Courier New">Sep 21 13:01:49 server pluto[24720]:
packet from 82.30.103.217:500: received and ignored empty
informational notification payload<br>
Sep 21 13:01:52 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: responding to Main Mode from unknown peer 82.30.103.217<br>
Sep 21 13:01:52 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Sep 21 13:01:52 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: STATE_MAIN_R1: sent MR1, expecting MI2<br>
Sep 21 13:01:53 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no
NAT detected<br>
Sep 21 13:01:53 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>
Sep 21 13:01:53 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: STATE_MAIN_R2: sent MR2, expecting MI3<br>
Sep 21 13:01:53 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: ignoring informational payload IPSEC_INITIAL_CONTACT,
msgid=00000000, length=28<br>
Sep 21 13:01:53 server pluto[24720]: | ISAKMP Notification
Payload<br>
Sep 21 13:01:53 server pluto[24720]: | 00 00 00 1c 00 00 00
01 01 10 60 02<br>
Sep 21 13:01:53 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: Main mode peer ID is ID_IPV4_ADDR: '82.30.103.217'<br>
Sep 21 13:01:53 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
Sep 21 13:01:53 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
group=modp2048}<br>
Sep 21 13:01:53 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: Dead Peer Detection (RFC 3706): enabled<br>
Sep 21 13:01:53 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: the peer proposed: 172.17.2.0/24:0/0 ->
192.168.10.0/24:0/0<br>
Sep 21 13:01:53 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: cannot respond to IPsec SA request because no connection is
known for
172.17.2.0/24===82.19.147.85<82.19.147.85>[@Nick]...82.30.103.217===192.168.10.0/24<br>
Sep 21 13:01:53 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: sending encrypted notification INVALID_ID_INFORMATION to
82.30.103.217:500<br>
Sep 21 13:01:56 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: the peer proposed: 172.17.2.0/24:0/0 ->
192.168.10.0/24:0/0<br>
Sep 21 13:01:56 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: cannot respond to IPsec SA request because no connection is
known for
172.17.2.0/24===82.19.147.85<82.19.147.85>[@Nick]...82.30.103.217===192.168.10.0/24<br>
Sep 21 13:01:56 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: sending encrypted notification INVALID_ID_INFORMATION to
82.30.103.217:500<br>
Sep 21 13:02:02 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: the peer proposed: 172.17.2.0/24:0/0 ->
192.168.10.0/24:0/0<br>
Sep 21 13:02:02 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: cannot respond to IPsec SA request because no connection is
known for
172.17.2.0/24===82.19.147.85<82.19.147.85>[@Nick]...82.30.103.217===192.168.10.0/24<br>
Sep 21 13:02:02 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: sending encrypted notification INVALID_ID_INFORMATION to
82.30.103.217:500<br>
Sep 21 13:02:05 server pluto[24720]: "PaulIn"[11] 82.30.103.217
#12: received Delete SA payload: deleting ISAKMP State #12<br>
Sep 21 13:02:05 server pluto[24720]: "PaulIn"[11] 82.30.103.217:
deleting connection "PaulIn" instance with peer 82.30.103.217
{isakmp=#0/ipsec=#0}</font></small><br>
<br>
I seem to remember it worked with 3.2 or 3.3 when the initial bug
was raised.<br>
<br>
I've also thrown up another bug. In ipsec.conf I have the usual
"include /etc/ipsec.d/ipsec.*.conf", but this loads
ipsec.unmanaged.MumIn.conf and ipsec.unmanaged.MumIn.conf1 (I
usually append 1 so something to a file name to temporarily remove
it from the equation). If correctly does not load
ipsec.unmanaged.MumIn.con1.<br>
<br>
Regards,<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 20/09/2013 20:11, Paul Wouters
wrote:<br>
</div>
<blockquote cite="mid:523C9DF1.1030406@redhat.com" type="cite">
<pre wrap="">
On 09/19/2013 02:31 PM, Nick Howitt wrote:
</pre>
<blockquote type="cite">
<pre wrap="">The build (rpmbuild -bb --target=x64_64 --clean --quiet
libreswan-3.6rc1/packaging/rhel/6/libreswan.spec) fails with:
/home/build/rpmbuild/BUILD/libreswan-3.6rc1/programs/pluto/plutomain.c:1116:
undefined reference to `FIPSCHECK_verify_files_ex'
collect2: ld returned 1 exit status
make[3]: *** [pluto] Error 1
make[2]: *** [programs] Error 1
make[1]: *** [programs] Error 1
make: *** [programs] Error 2
error: Bad exit status from /var/tmp/rpm-tmp.tlNmqM (%build)
Bad exit status from /var/tmp/rpm-tmp.tlNmqM (%build)
I am not sure of the wisdom of using an fc binary instead of el6 so I am
nervous of trying.
</pre>
</blockquote>
<pre wrap="">
You need fipscheck-1.4.0 from fedora, not 1.2.0 from centos. I am
working on fixing it to work with older versions too. But if you dont
care too much about FIPS mode, you can just disbable USE_FIPSCHECK in
the spec file.
Paul
</pre>
</blockquote>
<br>
</body>
</html>